A short history of remote or off-campus access

Eduserv developed the Athens system for remote access to e-resources. It worked as a list of usernames and passwords hosted by Eduserv, and it allowed off-campus access without the need for VPN (which would authenticate the user via IP address). VPN installation is not always easy (Mac users?) or possible (people in internet cafes or other places where they can’t download software onto the computer they’re using), and so was a great leap forward.

However, it was costly: JISC funded Athens access for UK higher education institutions and publishers also had to pay for it to work with their products. JISC funded the access via Eduserv, but Athens was not a JISC product.

More recently, Shibboleth was developed as an open source software solution for web single sign-on for organisations, so it is free to use for both institutions and publishers. In July 2008, JISC withdrew funding for Athens and started up their own access management organisation, The UK Access Management Federation. Athens authentication continues to exist and is available on a subscription basis.

Hardly any US-based publishers (e.g. Highwire) used Athens, so switching to Shibboleth authentication meant that a wider range of resources was available off-campus than ever before.

What is EZproxy and how does it work with SSO?

EZproxy is another tool for remote access and it works by mimicking the Oxford IP range (like VPN):

EZproxy helps provide users with remote access to Web-based licensed content offered by libraries. It is middleware that authenticates library users against local authentication systems and provides remote access to licensed content based on the user’s authorization

Many e-journals and databases work with “Shibbolised” EZproxy, in which the proxy server is accessed via SSO. The user is authenticated via SSO and then access to the proxy server is enabled, allows access to the resource via IP address authentication. This means that IP-authenticated resources which aren’t SSO-compliant can be accessed off-campus using SSO via Shibbolised EZproxy.

E-resources access and walk-in users

EZproxy doesn’t kick in on-campus, so IP-authenticated resources allow walk-in user access. In universities, walk-in users are visiting scholars or people with reader access who are not members of the University, and do not have SSO accounts.

Some publishers (usually in the legal or business fields) do not want to allow walk-in user access to their resources, so they require SSO authentication even on-campus. Shibboleth access is secure and also gives them log files of user activity, so they can trace anyone they suspect of breaking the terms of their licence, for example by systematic downloading of their content.

Usernames and passwords

A few publishers still rely on username and password authentication based on usernames that they issue. Typically, these are legal databases whose business model involves selling access to a few people at a variety of institutions in the commercial sector, and so they are not set up for other authentication methods.

These usernames and passwords are then stored on an SSO-protected website, such as Weblearn, our university’s virtual learning environment.

Other advantages of SSO over Athens

SSO provides more up-to-date authentication, as it retrieves user information from the identity provider each time access is requested. The usernames and passwords hosted by Eduserv were only updated every month or so, so someone who had previously been a member of the University would often still be able to access resources for some time after they left. SSO permissions can be finely tuned so that a student will lose their e-resources access immediately after finishing their course, but retain SSO access to their email until several months later. Users are more aware of the value of their SSO, since it lets them in to so many services, and are less likely to share (or sell) it to other (non-University) people. This had been a problem in the past with Athens usernames and passwords.

How Shibboleth works

The aim of a single sign-on system is to be able to access multiple resources with a single identity. A variety of service providers (SPs, such as e-resources publishers) can sign up to work with Shibboleth, and a range of identity providers (IdPs, such as universities) can have users’ accounts verified by Shibboleth:

Shibboleth acts as a mediator between the services and the users (with different identities, affiliations and levels of permissions). Therefore, when you access ScienceDirect via SSO, Shibboleth checks who you are and details about the service you are trying to access. If it can identify you as a member of the University of Oxford and verify that the University has a current subscription to ScienceDirect, it will allow you access.